Re: [bugfix] try_to_unmap_cluster() passes out-of-bounds pte topte_unmap()

[Andrew Morton]

William Lee Irwin III <wli@xxxxxxxxxxxxxx> wrote:
>
> --- ./mm/rmap.c.orig	2005-05-20 01:29:14.066467151 -0700
> +++ ./mm/rmap.c	2005-05-20 01:30:06.620649901 -0700
> @@ -694,7 +694,7 @@
>  		(*mapcount)--;
>  	}
>  
> -	pte_unmap(pte);
> +	pte_unmap(pte-1);
>  out_unlock:
>  	spin_unlock(&mm->page_table_lock);
>  }

I must say that I continue to find this approach a bit queazifying.

After some reading of the code I'd agree that yes, it's not possible for us
to get here with `pte' pointing at the first slot of the pte page, but it's
not 100% obvious and it's possible that someone will come along later and
will change things in try_to_unmap_cluster() which cause this unmap to
suddenly do the wrong thing in rare circumstances.

IOW: I'd sleep better at night if we took a temporary and actually unmapped
the thing which we we got back from pte_offset_map()..  Am I being silly?

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/